High severityNVD Advisory· Published Jan 12, 2021· Updated Aug 4, 2024
CVE-2020-35653
CVE-2020-35653
Description
In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.1.0 | 8.1.0 |
Affected products
13- Pillow/Pillowdescription
- osv-coords12 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.1.0+ 11 more
- (no CPE)range: < 8.1.0
- (no CPE)range: < 8.1.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 2.5.1-lp152.2.3.1
- (no CPE)range: < 8.3.1-lp152.5.3.1
- (no CPE)range: < 8.3.2-1.2
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 2.8.1-4.22.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-f5g8-5qq7-938wghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-35653ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-69.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bfghsaWEB
- lists.debian.org/debian-lts-announce/2021/07/msg00018.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YDghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/index.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.